Possible bug in PF with if_bridge

Tue Dec 13 09:07:39 PST 2005

Hello all,

I may have found a bug in PF (in combination with if_bridge) for
FreeBSD6.0-RELEASE.

Let me explain my situation first:

The xl1 and xl2 interfaces are connected together as a bridge (bridge0).

The sysctl settings that are used:
net.link.bridge.pfil_bridge=1
net.link.bridge.pfil_member=1

After applying these settings and configuring ifconfig, a new interface pops
up.

---------------------------------------------
bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
        ether ac:de:48:8c:58:62
        priority 32768 hellotime 2 fwddelay 15 maxage 20
        member: xl2 flags=3<LEARNING,DISCOVER>
        member: xl1 flags=3<LEARNING,DISCOVER>
---------------------------------------------

The bridge is working fine, and passes al traffic as its supposed too.

The weird thing occurs when using PF to filter the bridge.
Let me post my pf.conf first: (I did not post the declaration of variables
on top of the conf) 

---------------------------------------------
scrub in all

block in log on bridge0 from any to $mynet
block return-rst in log on bridge0 proto tcp from any to $mynet

pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state
pass out on bridge0 proto {tcp,udp} from $mynet to any keep state

pass on lo0 all

## ICMP Section ##
pass in on bridge0 proto icmp from any to $mynet icmp-type { 0 3 8 11 } keep
state
pass out on bridge0 proto icmp from $mynet to any icmp-type { 0 3 8 11 }
keep state

## DNS Replys ##
pass in on bridge0 proto {tcp,udp} from {217.149.196.6,217.149.192.6} to
$mynet port 53 keep state

## Router ##
pass in on bridge0 proto {tcp,udp} from any to $router port 22 flags S/SA
keep state

## Mail ##
pass in on bridge0 proto {tcp,udp} from any to $mail port 25 flags S/SA keep
state
pass in on bridge0 proto {tcp,udp} from {$mynet} to $mail port 143 flags
S/SA keep state

## Web ##
pass in on bridge0 proto {tcp,udp} from any to $web port 80 flags S/SA keep
state
pass in on bridge0 proto {tcp,udp} from any to $web port 443 flags S/SA keep
state
---------------------------------------------

As you can see, I want to block every incoming packet (if not 'passed' later
on the ruleset) to the bridge (to the network on the other side).

Now comes the strange part:

Behind $web and $mail are running SSH-servers. As defined by the rules, I
don't want to allow any connection from the outside to the SSH-servers.
BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and
some _dont_ (as it supposed to be).

The connections that are accepted (in violation with the PF-rules) to the
SSH-servers are logged in /var/log/pflog as denied. (So PF marks the packets
as denied, but doesn't block them!).

These faults don't apply to SSH-servers only! It happens to every service on
the network.

At least, the hosts that I have tested with are not in a specific ip-range.
I just picked some random hosts with different ip-addresses and tried to
telnet to the service-ports, with some
hosts I got a nice 'return-rst' packet, telling me that the connection is
refused. With others I got the service response.

I hope some of you guys can help me out.

Please CC me as i'm not subscribed to this list.

With kind regards,
Michiel Kranenburg